The way you are concatenating user input instead of using OleDbParameter class leaves your program susceptible to SQL Injection Attack. Using an SQL Injection Attack, a nefarious individual could erase or damage your database.